F-Secure Virus Descriptions : Montp
[Summary] | [Detailed Description] | [Detection]
|
|
|
Montp spying trojan was first discovered in April 2004. The last,
Montp.F variant was found on 6-7th of June 2004.
The Montp trojan has powerful spying features: it collects
information from users of numerous on-line banks and sends
collected data to a hacker by uploading specially created files
to an ftp server. The trojan can also download and run additional
files from ftp and http servers. Additionally the trojan utilizes
stealth techniques.
The main trojan's file is a PE executable 44032 bytes long packed
with PECompact file compressor. The trojan drops a DLL file which
is 241664 bytes long and is not packed.
Installation to System
When the trojan's executable file is run, it installs itself to
system. It copies its file to \qmin\ subfolder inside Windows
System folder with a randomly generated name, for example
'adpgcjca.exe'. Then the trojan drops a DLL file named
'qmin2.dll' to Windows System folder and activates it. This DLL
is used to hook certain APIs in order to intercept HTTPS requests
and to hide the trojan's files and Registry keys (stealth mode).
Also the 'xtempx.xxx' file is created by the trojan in Windows
System folder.
The startup key is created for the trojan's executable file in
the Registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"qmin" = "%WinSysDir"\qmin\<random>.exe"
Additionally the trojan creates the following Registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"qmin"
[HKCU\Software\Microsoft\Windows\]
"qmax"
The last key is set at the beginning of data stealing process and
then deleted.
Stealing On-line Bank Data and Other Information
The dropped DLL component checks if a user opens any of the
following URLs using HTTPS protocol (bank names are replaced
with <bank_name>):
<bank1_name>.co.uk
<bank2_name>.co.uk
<bank3_name>.com
<bank4_name>.tv
<bank5_name>.com
<bank6_name>.com
<bank7name>.com.au
<bank8_name>.com.au
<bank9_name>.com
<bank10_name>.co.uk
<bank11_name>.co.uk
<bank12_name>.com
<bank13_name>.co.uk
<bank14_name>.co.uk
<bank15_name>.co.uk
<bank16_name>.com
<bank17_name>.com.au
<bank18_name>.com
<bank19_name>.com
<bank20_name>.co.nz
<bank21_name>.com
<bank22_name>.com
<bank23_name>.com
<bank24_name>.se
<bank25_name>.com.vn
<bank26_name>.com
<bank27_name>.com
<bank28_name>.com
<bank29_name>.de
<bank30_name>.com
<bank31_name>
<bank32_name>.com
<bank33_name>.com
<bank34_name>.com.hk
<bank35_name>.com
<bank36_name>.com
<bank37_name>.com
<bank38_name>.com
<bank39_name>.com.au
<bank40_name>.com
<bank41_name>.de
<bank42_name>.com.my
<bank43_name>.com.my
<bank44_name>.de
<bank45_name>.com.au
<bank46_name>.com
<bank47_name>.net.au
<bank48_name>.com
<bank49_name>.com
<bank50_name>
<bank51_name>.com
<bank52_name>.com
<bank53_name>.com
<bank54_name>.com
<bank55_name>.com
<bank56_name>.com
<bank57_name>.com.au
<bank58_name>.com
<bank59_name>.de
<bank60_name>.de
<bank61_name>.com.hk
<bank62_name>.com
<bank63_name>.com
<bank64_name>.com
<bank65_name>.com
<bank66_name>.com.au
<bank67_name>.com
<bank68_name>.co.nz
<bank69_name>.co.nz
<bank70_name>.com
<bank71_name>.com.au
<bank72_name>.com.au
<bank73_name>.com
<bank74_name>.com
If a user opens any of those URLs (which mostly belong to on-line
banks), the trojan's DLL creates a file with a corresponding
name. However, for several URLs the trojan creates a file with a
common name. The following files are created by the trojan:
<bank1_name>_co_uk.pst
<bank2_name>_co_uk.pst
<bank3_name>_com.pst
<bank4_name>.pst
<bank5_name>_com.pst
<bank6_name>.pst
<bank7_name>_com_au.pst
<bank8_name>_com_au.pst
<bank9_name>_com.pst
<bank10_name>_CO_UK.pst
<bank11_name>_CO_UK.pst
<bank12_name>_COM.pst
<bank13_name>_CO_UK.pst
<bank14_name>_co_uk.pst
<bank15_name>_co_uk.pst
instant1f.pst (used for several URLs)
Also the trojan's DLL checks for URLs containing any of the
following strings:
zwallet.com
.cl
.ru
.ua
.o2.co.uk
ytv.com
yourastrologysite.com
.edu
yes.com.hk
yagma.com
mail
serviticket.com
sierraclub.org
wrem.sis.yorku.ca
worth1000.com
worldwinner.com
delawarenorth.com
.bg
uwaterloo.ca
t-mobile.com
.ac.uk
willhill.com
bigpond.net.au
intel.com
webzdarma.cz
nwa.com
sap-ag.de
guidehome.com
microsoft.com
.il
.ust.hk
.fi
.ac.nz
.sk
.ac.at
unb.ca
ubc.ca
sheridanc.on.ca
queensu.ca
mcmaster.ca
mcgill.ca
carleton.ca
douglas.bc.ca
.hr
comcast.net
webassign.net
there.com
uoguelph.ca
uottawa.ca
.jp
ych.com
icq.com
.tw
watchguard.com
walgreens.com
aircanada.ca
ibm.com
opusit.com.sg
vutbr.cz
vpost.com.sg
.md
vodafone
virginmobileusa.com
virginblue.com.au
mcafee.com
videotron.com
victoriassecret.com
veloz.com
vasa.slsp.sk
<bank_name>.com
uscitizenship.info
uscden.net
usafis.org
yesasia.com
ups.com
ucas.co.uk
uwindsor.ca
uoguelph.ca
unixcore.com
united.intranet.ual.com
preschoicefinancial.com
yorku.ca
trustinternational.com
trust1.com
trivita.com
travelcommunications.co.uk
travelclub.swiss.com
travel.priceline.com
travel.com.au
towerhobbies.com
game
hp.com
iprimus.com.au
iinet.net.au
music
ssdcl.com.sg
datasvit.net
starhubshop.com.sg
012.net
stanfordalumni.org
.cz
tdcwww.net
tmi-wwa.com
tm.net.my
tirerack.com
ti.com
ultrastar.com
ticketmaster.com
three.com.hk
theaa.com
tepore.com
recruitsoft.com
freedom.net
telstra.com
telpacific.com.au
techdata.com
quickbooks.com
tbihosting.com
inlandrevenue.gov.uk
symantec
sony
.kz
dell
cablebg.net
supergo.com
look.ca
maximonline.com
streamload.com
apple.com
puma.com
a-net.com
webtrendslive.com
gigaisp.net
ihost.com
monster.com
.sok
lanck.net
farlep.net
.kr
speedera.net
kundenserver.de
ingrammicro.com
campoints.net
ains.com.au
srp.org.sg
sqnet.com.sg
adaptec.com
worldgaming.net
sportodds.com
sportingbet.com
spiritair.com
swamp.lan
soundclick.com
hkuspace.org
soccer.com
solo3.<bank_name>.fi
snapfish.com
cometsystems.com
flextronics.com
esdlife.com
site-secure.com
singaporeair.com
sims.sfu.ca
simplyhotels.com
singnet.com.sg
silicon-power.com
signup.sprint.ca
shutterfly.com
shopundco.com
zoovy.com
go-fia.com
shoppersoptimum.ca
shopadmin.daum.net
o2online.de
ecompanystore.com
shkcorpws5.shkp.com
sfa.prudential.com.sg
hku.hk
vodafone.co.uk
cic.gc.ca
sfgov.org
rogers.com
macau.ctm.net
xs4all.nl
sympatico.ca
ariba.com
liveperson.net
sephora.com
senecac.on.ca
canon-europe.com
xtra.co.nz
t-mobile.co.uk
selfmgmt.com
securitymetrics.com
securewebexchange.com
western-inventory.com
playstation.com
imrworldwide.com
secureserver.net
secureordering.com
imrworldwide.com
securecart.net
wn.com.au
webeweb.net
mgm-mirage.com
w2express.com
vandyke.com
ubi.com
tsn.cc
trekblue.com
tickle.com
thewheelconnection.com
telusmobility.com
starbiz.net.sg
sparknotes.com
sparkart.com
sms.ac
billerweb.com
shaw.ca
safesite.com
register.com
oztralia.com
ordering.co.uk
orcon.net
optusnet.com.au
onlineaccess.net
oberon-media.com
nzqa.govt.nz
novuslink.net
nike.com.hk
netspeed.com.au
netfirms.com
netbilling.com
nai.com
nacelink.com
mysylvan.com
mouse2mobile.com
<bank_name>.com.au
lkw-walter.com
kent.net
reuters.com
intuitcanada.com
infusion-studios.com
indigosp.com
idx.com.au
hotbar.com
hostdozy.com
hilton.com
gevalia.com
fredericks.com
ezpeer.com
europeonline.com
e-registernow.com
emetrix.com
elsevier
element5.com
elance.com
earthport.com
directsex.com
directnic.com
deluxepass.com
delias.com
konetic.org
customersvc.com
c1hrapps.com
bnpparibas.net
<bank_name>.com
bearshare.com
authorize.net
advisor.com
adultfriendfinder.com
acadiau.ca
yimg.com
sebra.com
seatbooker.net
searchfit.org
eutelsat.net
carleton.ca
upjs.sk
scicollege.org.sg
sciamdigital.com
ebay
s-central.com.au
sbc.com
samsunggsbn.com
sammikk.com
Information from webpages intercepted that way is collected to
the file named 'global1f.pst'.
Then the trojan's EXE file processes PST files created by the DLL
component except 'instant1f.pst' and 'global1f.pst' (they are
uploaded to an ftp site 'as is').
After processing the PST files created for certain banks, the
trojan creates corresponding .INI files with such information as
user's name, customer ID, date of birth, passwords, PINs, account
numbers and other important information. The following files are
created after processing of bank-related PST files:
<bank1_name>_co_uk.ini
<bank2_name>.ini
<bank3_name>_co_uk.ini
<bank4_name>.ini
<bank5_name>.ini
<bank6_name>.ini
<bank7_name>.ini
<bank8_name>.ini
<bank9_name>_co_au.ini
<bank10_name>.ini
<bank11_name>.ini
<bank12_name>.ini
<bank13_name>.ini
<bank14_name>.ini
The files with collected data are uploaded to an ftp site to
directories named 'MAIN', 'FILT' and 'SPAM'. Sorted stolen data
from major banks stored in .INI files is uploaded to the 'MAIN'
folder, data stolen from other banks, stored in 'instant1f.pst'
file is uploaded to 'FILT' folder and finally the 'global1f.pst'
file with data collected from different URLs is uploaded to SPAM
folder.
Payload
The trojan modifies HOSTS file to redirect the domain name
'web.da-us.citibank.com' to the IP address 66.98.244.59.
The trojan attempts to download and run a file named
'update8.exe' from the 'www.projecx.net' website. At the moment
of creation of this description that file was not accessible any
more. Additionally the trojan attempts to download and run the
file named 'update.exe' from an ftp server where the trojan
uploads stolen data.
The trojan sets 'about:blank' page as IE startup page.
Montp trojan looks for and terminates processes with the
following names:
ARMOR2NET.EXE
SAVSCAN.EXE
NPROTECT.EXE
NVSVC32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JEDI.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE
Most of these names belong to anti-virus and firewall software.
Detection of Montp.F spying trojan was published on June 7th,
2004 in the following F-Secure Anti-Virus update:
[FSAV_Database_Version]
Version=2004-06-07_01
Technical Details:
Alexey Podrezov; June 8th, 2004;
F-Secure Corporation
|
